SlideShare ist ein Scribd-Unternehmen logo

A balanced perspective on RFID

Als PPT, PDF herunterladen
C
Considerati
TechnologieBusiness
1 von 24
Security, RFID and Consumers RFID Security, Theory and Practice mr. dr. Bart Schermer RFID Platform Nederland
About me • Secretary RFID Platform Nederland • Privacy specialist at ECP.NL • Partner at Considerati • Assistent professor at the University of Leiden (faculty of law)
Board RFID Nederland
RFID Nederland “Stimulating the uptake of RFID technology and ensuring its responsible use” • Market initiative • 50 participants • www.rfidnederland.nl • www.watisrfid.nl
Business drivers for RFID Realtime insight into business processes increases: •Efficiency •Security •Customer loyalty
Why are these similar? Source: ADT Tyco
Opposing views...
RFID and the Public Opinion
RFID vulnerabilities • Skimming / eavesdropping • Weak crypto • Tag reader authentication
Security risks • Access to data on the chip (including possible keys) • Access to associated databases • Access to communication between tag and reader • Attack vector for databases (e.g. viruses, SQL injects) • Cloning (!!!!) • Possibility to follow / track trace people
“Big Brother is watching you!”
Privacy risks • Due to its invisible nature RFID can be used to surreptisiously gather personal data. • Companies can use this information to profile and classify customers • Companies can use this information to follow and track consumers throughout their daily lives • Companies can use invasive Minority Report style advertising
The role of privacy • Information is power • (Personal) data is used to profile and classify consumers • Privacy is a means to maintain ‘economic equality’ between companies and consumers • Consumers (should) have a say in the processing of their personal data
EU Privacy Law • Data Protection Directive (95/46/EC) • Telecom Privacy Directive (2002/58/EC)
EU Privacy Law • Surreptitious gathering of personal data is a violation of the data protection directive (95/46/EC). • Using personal data for other purposes than for which they have been gathered is a violation of the data protection directive • Surreptiously monitoring and following people is a criminal offence (and where not, it should be). • Targeted advertising without prior permission from consumers is a violation of the data protection directive and the Telecom Privacy Directive (2002/58/EC).
Example I: OV chipkaart • Mifare Classic (subscriptions etc.) / Mifare Ultralight (day tickets) • Hack Plotz & Nohl (reverse engineering -> skimming -> cloning) • Hack Radboud I (Mifare Ultralight) (skimming -> cloning) • Dutch Data Protection Authority warns GVB, NS • Hack Radboud II (Mifare Classic) (cryptoanalysis -> skimming -> cloning) • Press coverage differs from the facts • NXP (wrongfully) bashed for providing insecure chip • Security through obscurity worked for 13 years... See also: https://ovchip.cs.ru.nl/Event_history
Example II: retail
Privacy or security?
Incident driven response... • Consumer backlash (boycott) against technology • Motion to cancel the OV chipkaart • EU Recommendation on RFID & Privacy: - Mandatory privacy impact assesment - Opt-in for retail environment
Observations • Emphasis on technology instead of application • Security issues and privacy issues are often confused • Business reality can differ from security reality - security through obscurity may make sense for a business - cost/risk analysis is leading, not 100% security • Solutions are currently viewed as either/or (e.g. opt-in for retail) • There is no integrated approach towards security and privacy
The right tool for the job • 100% security is not always the most optimal economic decision • RFID should not be the only security measure • Focus on the problem, not the technology • What tool is most effective
Suggestions • Clear(er) distinction between privacy and security - strengthen overall system security - create tools to enhance privacy (Privacy by design, PETs) - create tools to effectuate legal safeguards (consumer in control) • Security experts must educate businesses, consumers, policymakers and politicians (in English please) • Security, business processes, and legal safeguards must strengthen each other
The way forward Companies should: • Use RFID in a responsible manner • Provide benefits not only to themselves, but also to consumers • Provide openness and transparency about the use of RFID • Provide a truly free choice for consumers Government should: • Create tools for the protection of privacy (PETs, RFID guardians, logo system) • Place the consumer in control • Monitor possible shifts in the balance of power, and correct where necessary Security experts and researchers should: • Try to translate their work in proper English (e.g. Jip and Janneke) • ...Keep up the good work
Bart Schermer ECP.NL / RFID Platform Nederland Overgoo 11 2260 AG Leidschendam 070-4190309 bart.schermer@ecp.nl “RFID zal een grotere impact op onze samenleving hebben dan Internet heeft gehad” -- Prof. Cor Molenaar, voorzitter RFID Nederland Questions?

Empfohlen

Open Data Principles Eindhoven
Open Data Principles EindhovenOpen Data Principles Eindhoven
Open Data Principles EindhovenRick Schager
 
SMARTIE
SMARTIESMARTIE
SMARTIEDunavNET
 
Smartie - Project overview
Smartie - Project overview Smartie - Project overview
Smartie - Project overview DunavNET
 
Cloud services in Estonian, startups cloud meetup
Cloud services in Estonian, startups cloud meetupCloud services in Estonian, startups cloud meetup
Cloud services in Estonian, startups cloud meetupRiho Kurg
 
Trustworthy infrastructure for personal data management
Trustworthy infrastructure for personal data management Trustworthy infrastructure for personal data management
Trustworthy infrastructure for personal data management European Union Agency for Network and Information Security (ENISA)
 
Enisa and cyber security standards
Enisa and cyber security standardsEnisa and cyber security standards
Enisa and cyber security standardsEuropean Union Agency for Network and Information Security (ENISA)
 
USEMP Project Presentation ICT 2015
USEMP Project Presentation ICT 2015USEMP Project Presentation ICT 2015
USEMP Project Presentation ICT 2015Andreas Drakos
 
Towards a Privacy-Friendly Internet of Things
Towards a Privacy-Friendly Internet of ThingsTowards a Privacy-Friendly Internet of Things
Towards a Privacy-Friendly Internet of ThingsInternational Institute of Communications
 

Empfohlen

Open Data Principles Eindhoven
Open Data Principles EindhovenOpen Data Principles Eindhoven
Open Data Principles EindhovenRick Schager
 
SMARTIE
SMARTIESMARTIE
SMARTIEDunavNET
 
Smartie - Project overview
Smartie - Project overview Smartie - Project overview
Smartie - Project overview DunavNET
 
Cloud services in Estonian, startups cloud meetup
Cloud services in Estonian, startups cloud meetupCloud services in Estonian, startups cloud meetup
Cloud services in Estonian, startups cloud meetupRiho Kurg
 
Trustworthy infrastructure for personal data management
Trustworthy infrastructure for personal data management Trustworthy infrastructure for personal data management
Trustworthy infrastructure for personal data management European Union Agency for Network and Information Security (ENISA)
 
Enisa and cyber security standards
Enisa and cyber security standardsEnisa and cyber security standards
Enisa and cyber security standardsEuropean Union Agency for Network and Information Security (ENISA)
 
USEMP Project Presentation ICT 2015
USEMP Project Presentation ICT 2015USEMP Project Presentation ICT 2015
USEMP Project Presentation ICT 2015Andreas Drakos
 
Towards a Privacy-Friendly Internet of Things
Towards a Privacy-Friendly Internet of ThingsTowards a Privacy-Friendly Internet of Things
Towards a Privacy-Friendly Internet of ThingsInternational Institute of Communications
 
CrimiNee!
CrimiNee!CrimiNee!
CrimiNee!Esri
 
Data Analytics and the Legal Landscape: Intellectual Property and Data Protec...
Data Analytics and the Legal Landscape: Intellectual Property and Data Protec...Data Analytics and the Legal Landscape: Intellectual Property and Data Protec...
Data Analytics and the Legal Landscape: Intellectual Property and Data Protec...FutureTDM
 
Itl startups cloud meetup
Itl startups cloud meetupItl startups cloud meetup
Itl startups cloud meetupRiho Kurg
 
Traditional non traditional ways to protect your intellectual property
Traditional non traditional ways to protect your intellectual propertyTraditional non traditional ways to protect your intellectual property
Traditional non traditional ways to protect your intellectual propertyBoyle_Fredrickson
 
David Hall | The Accidental Criminal: Common Security Laws You Could be Breaking
David Hall | The Accidental Criminal: Common Security Laws You Could be BreakingDavid Hall | The Accidental Criminal: Common Security Laws You Could be Breaking
David Hall | The Accidental Criminal: Common Security Laws You Could be BreakingPro Mrkt
 
Changing legislation – General Data Protection Regulation (GDPR) and librarie...
Changing legislation – General Data Protection Regulation (GDPR) and librarie...Changing legislation – General Data Protection Regulation (GDPR) and librarie...
Changing legislation – General Data Protection Regulation (GDPR) and librarie...CILIPScotland
 
Presentation for NAG seminar
Presentation for NAG seminarPresentation for NAG seminar
Presentation for NAG seminarMichael Fortune
 
Investigative powers in practice – PORTUGAL – November 2018 OECD GFC
Investigative powers in practice – PORTUGAL – November 2018 OECD GFCInvestigative powers in practice – PORTUGAL – November 2018 OECD GFC
Investigative powers in practice – PORTUGAL – November 2018 OECD GFCOECD Directorate for Financial and Enterprise Affairs
 
Uwip Cert011306
Uwip Cert011306Uwip Cert011306
Uwip Cert011306l05i09u
 
Cyber crime DAV Vasant Kunj New Delhi
Cyber crime DAV Vasant Kunj New DelhiCyber crime DAV Vasant Kunj New Delhi
Cyber crime DAV Vasant Kunj New DelhiNamita Jain
 
Cyber Crime - What is it?
Cyber Crime - What is it?Cyber Crime - What is it?
Cyber Crime - What is it?Sovan Sinha
 
Trustworthy Infrastructure for Personal Data Management
Trustworthy Infrastructure for Personal Data ManagementTrustworthy Infrastructure for Personal Data Management
Trustworthy Infrastructure for Personal Data ManagementIoannis Krontiris
 
Common structural issues in sector specific M&A transactions
Common structural issues in sector specific M&A transactionsCommon structural issues in sector specific M&A transactions
Common structural issues in sector specific M&A transactionsALTIUS
 
W5a profibus pa device configuration using fdt, andy smith
W5a profibus pa device configuration using fdt, andy smithW5a profibus pa device configuration using fdt, andy smith
W5a profibus pa device configuration using fdt, andy smithPROFIBUS and PROFINET InternationaI - PI UK
 
ECTA - Notification and Takedown in Italy
ECTA - Notification and Takedown in ItalyECTA - Notification and Takedown in Italy
ECTA - Notification and Takedown in ItalyMariano Cunietti
 
INNA POLIAKOVA «5 key legal issues of outsourcing agreements to be negotiated...
INNA POLIAKOVA «5 key legal issues of outsourcing agreements to be negotiated...INNA POLIAKOVA «5 key legal issues of outsourcing agreements to be negotiated...
INNA POLIAKOVA «5 key legal issues of outsourcing agreements to be negotiated...Lviv Startup Club
 
2015 Albin Zuccato - Sentors frukostseminarium om dataskydd
2015 Albin Zuccato - Sentors frukostseminarium om dataskydd2015 Albin Zuccato - Sentors frukostseminarium om dataskydd
2015 Albin Zuccato - Sentors frukostseminarium om dataskyddsentormss
 
Cavablar e-jurnalı,say 2.
Cavablar e-jurnalı,say 2.Cavablar e-jurnalı,say 2.
Cavablar e-jurnalı,say 2.Elvin85
 
Actualiteiten wbp
Actualiteiten wbpActualiteiten wbp
Actualiteiten wbpConsiderati
 
Privacy and visibility in the sensor society
Privacy and visibility in the sensor societyPrivacy and visibility in the sensor society
Privacy and visibility in the sensor societyConsiderati
 
Cavablar-3
Cavablar-3Cavablar-3
Cavablar-3Elvin85
 
Cavablar 3
Cavablar 3Cavablar 3
Cavablar 3Elvin85
 

Weitere ähnliche Inhalte

Was ist angesagt?

CrimiNee!
CrimiNee!CrimiNee!
CrimiNee!Esri
 
Data Analytics and the Legal Landscape: Intellectual Property and Data Protec...
Data Analytics and the Legal Landscape: Intellectual Property and Data Protec...Data Analytics and the Legal Landscape: Intellectual Property and Data Protec...
Data Analytics and the Legal Landscape: Intellectual Property and Data Protec...FutureTDM
 
Itl startups cloud meetup
Itl startups cloud meetupItl startups cloud meetup
Itl startups cloud meetupRiho Kurg
 
Traditional non traditional ways to protect your intellectual property
Traditional non traditional ways to protect your intellectual propertyTraditional non traditional ways to protect your intellectual property
Traditional non traditional ways to protect your intellectual propertyBoyle_Fredrickson
 
David Hall | The Accidental Criminal: Common Security Laws You Could be Breaking
David Hall | The Accidental Criminal: Common Security Laws You Could be BreakingDavid Hall | The Accidental Criminal: Common Security Laws You Could be Breaking
David Hall | The Accidental Criminal: Common Security Laws You Could be BreakingPro Mrkt
 
Changing legislation – General Data Protection Regulation (GDPR) and librarie...
Changing legislation – General Data Protection Regulation (GDPR) and librarie...Changing legislation – General Data Protection Regulation (GDPR) and librarie...
Changing legislation – General Data Protection Regulation (GDPR) and librarie...CILIPScotland
 
Presentation for NAG seminar
Presentation for NAG seminarPresentation for NAG seminar
Presentation for NAG seminarMichael Fortune
 
Uwip Cert011306
Uwip Cert011306Uwip Cert011306
Uwip Cert011306l05i09u
 
Cyber crime DAV Vasant Kunj New Delhi
Cyber crime DAV Vasant Kunj New DelhiCyber crime DAV Vasant Kunj New Delhi
Cyber crime DAV Vasant Kunj New DelhiNamita Jain
 
Cyber Crime - What is it?
Cyber Crime - What is it?Cyber Crime - What is it?
Cyber Crime - What is it?Sovan Sinha
 
Trustworthy Infrastructure for Personal Data Management
Trustworthy Infrastructure for Personal Data ManagementTrustworthy Infrastructure for Personal Data Management
Trustworthy Infrastructure for Personal Data ManagementIoannis Krontiris
 
Common structural issues in sector specific M&A transactions
Common structural issues in sector specific M&A transactionsCommon structural issues in sector specific M&A transactions
Common structural issues in sector specific M&A transactionsALTIUS
 
ECTA - Notification and Takedown in Italy
ECTA - Notification and Takedown in ItalyECTA - Notification and Takedown in Italy
ECTA - Notification and Takedown in ItalyMariano Cunietti
 
INNA POLIAKOVA «5 key legal issues of outsourcing agreements to be negotiated...
INNA POLIAKOVA «5 key legal issues of outsourcing agreements to be negotiated...INNA POLIAKOVA «5 key legal issues of outsourcing agreements to be negotiated...
INNA POLIAKOVA «5 key legal issues of outsourcing agreements to be negotiated...Lviv Startup Club
 
2015 Albin Zuccato - Sentors frukostseminarium om dataskydd
2015 Albin Zuccato - Sentors frukostseminarium om dataskydd2015 Albin Zuccato - Sentors frukostseminarium om dataskydd
2015 Albin Zuccato - Sentors frukostseminarium om dataskyddsentormss
 

Was ist angesagt? (17)

CrimiNee!
CrimiNee!CrimiNee!
CrimiNee!
 
Data Analytics and the Legal Landscape: Intellectual Property and Data Protec...
Data Analytics and the Legal Landscape: Intellectual Property and Data Protec...Data Analytics and the Legal Landscape: Intellectual Property and Data Protec...
Data Analytics and the Legal Landscape: Intellectual Property and Data Protec...
 
Itl startups cloud meetup
Itl startups cloud meetupItl startups cloud meetup
Itl startups cloud meetup
 
Traditional non traditional ways to protect your intellectual property
Traditional non traditional ways to protect your intellectual propertyTraditional non traditional ways to protect your intellectual property
Traditional non traditional ways to protect your intellectual property
 
David Hall | The Accidental Criminal: Common Security Laws You Could be Breaking
David Hall | The Accidental Criminal: Common Security Laws You Could be BreakingDavid Hall | The Accidental Criminal: Common Security Laws You Could be Breaking
David Hall | The Accidental Criminal: Common Security Laws You Could be Breaking
 
Changing legislation – General Data Protection Regulation (GDPR) and librarie...
Changing legislation – General Data Protection Regulation (GDPR) and librarie...Changing legislation – General Data Protection Regulation (GDPR) and librarie...
Changing legislation – General Data Protection Regulation (GDPR) and librarie...
 
Presentation for NAG seminar
Presentation for NAG seminarPresentation for NAG seminar
Presentation for NAG seminar
 
Investigative powers in practice – PORTUGAL – November 2018 OECD GFC
Investigative powers in practice – PORTUGAL – November 2018 OECD GFCInvestigative powers in practice – PORTUGAL – November 2018 OECD GFC
Investigative powers in practice – PORTUGAL – November 2018 OECD GFC
 
Uwip Cert011306
Uwip Cert011306Uwip Cert011306
Uwip Cert011306
 
Cyber crime DAV Vasant Kunj New Delhi
Cyber crime DAV Vasant Kunj New DelhiCyber crime DAV Vasant Kunj New Delhi
Cyber crime DAV Vasant Kunj New Delhi
 
Cyber Crime - What is it?
Cyber Crime - What is it?Cyber Crime - What is it?
Cyber Crime - What is it?
 
Trustworthy Infrastructure for Personal Data Management
Trustworthy Infrastructure for Personal Data ManagementTrustworthy Infrastructure for Personal Data Management
Trustworthy Infrastructure for Personal Data Management
 
Common structural issues in sector specific M&A transactions
Common structural issues in sector specific M&A transactionsCommon structural issues in sector specific M&A transactions
Common structural issues in sector specific M&A transactions
 
W5a profibus pa device configuration using fdt, andy smith
W5a profibus pa device configuration using fdt, andy smithW5a profibus pa device configuration using fdt, andy smith
W5a profibus pa device configuration using fdt, andy smith
 
ECTA - Notification and Takedown in Italy
ECTA - Notification and Takedown in ItalyECTA - Notification and Takedown in Italy
ECTA - Notification and Takedown in Italy
 
INNA POLIAKOVA «5 key legal issues of outsourcing agreements to be negotiated...
INNA POLIAKOVA «5 key legal issues of outsourcing agreements to be negotiated...INNA POLIAKOVA «5 key legal issues of outsourcing agreements to be negotiated...
INNA POLIAKOVA «5 key legal issues of outsourcing agreements to be negotiated...
 
2015 Albin Zuccato - Sentors frukostseminarium om dataskydd
2015 Albin Zuccato - Sentors frukostseminarium om dataskydd2015 Albin Zuccato - Sentors frukostseminarium om dataskydd
2015 Albin Zuccato - Sentors frukostseminarium om dataskydd
 

Andere mochten auch

Cavablar e-jurnalı,say 2.
Cavablar e-jurnalı,say 2.Cavablar e-jurnalı,say 2.
Cavablar e-jurnalı,say 2.Elvin85
 
Actualiteiten wbp
Actualiteiten wbpActualiteiten wbp
Actualiteiten wbpConsiderati
 
Privacy and visibility in the sensor society
Privacy and visibility in the sensor societyPrivacy and visibility in the sensor society
Privacy and visibility in the sensor societyConsiderati
 
Cavablar-3
Cavablar-3Cavablar-3
Cavablar-3Elvin85
 
Cavablar 3
Cavablar 3Cavablar 3
Cavablar 3Elvin85
 
Yaddas qurgulari
Yaddas qurgulariYaddas qurgulari
Yaddas qurgularirovshane
 
Context Based Mediated E-Commerce Platform
Context Based Mediated E-Commerce PlatformContext Based Mediated E-Commerce Platform
Context Based Mediated E-Commerce PlatformMiguel Luis
 
Just4Style Woningfotografie
Just4Style WoningfotografieJust4Style Woningfotografie
Just4Style WoningfotografieJust4Style
 
Overal ICT en de gevolgen voor privacy
Overal ICT en de gevolgen voor privacyOveral ICT en de gevolgen voor privacy
Overal ICT en de gevolgen voor privacyConsiderati
 
linkedin - Bangalore Office - case study
linkedin - Bangalore Office - case study linkedin - Bangalore Office - case study
linkedin - Bangalore Office - case study Padam Interiors
 

Andere mochten auch (11)

Cavablar e-jurnalı,say 2.
Cavablar e-jurnalı,say 2.Cavablar e-jurnalı,say 2.
Cavablar e-jurnalı,say 2.
 
Actualiteiten wbp
Actualiteiten wbpActualiteiten wbp
Actualiteiten wbp
 
Privacy and visibility in the sensor society
Privacy and visibility in the sensor societyPrivacy and visibility in the sensor society
Privacy and visibility in the sensor society
 
Cavablar-3
Cavablar-3Cavablar-3
Cavablar-3
 
Cavablar 3
Cavablar 3Cavablar 3
Cavablar 3
 
Yaddas qurgulari
Yaddas qurgulariYaddas qurgulari
Yaddas qurgulari
 
Context Based Mediated E-Commerce Platform
Context Based Mediated E-Commerce PlatformContext Based Mediated E-Commerce Platform
Context Based Mediated E-Commerce Platform
 
Just4Style Woningfotografie
Just4Style WoningfotografieJust4Style Woningfotografie
Just4Style Woningfotografie
 
Overal ICT en de gevolgen voor privacy
Overal ICT en de gevolgen voor privacyOveral ICT en de gevolgen voor privacy
Overal ICT en de gevolgen voor privacy
 
linkedin - Bangalore Office - case study
linkedin - Bangalore Office - case study linkedin - Bangalore Office - case study
linkedin - Bangalore Office - case study
 
Succession “Losers”: What Happens to Executives Passed Over for the CEO Job?
Succession “Losers”: What Happens to Executives Passed Over for the CEO Job? Succession “Losers”: What Happens to Executives Passed Over for the CEO Job?
Succession “Losers”: What Happens to Executives Passed Over for the CEO Job?
 

Ähnlich wie A balanced perspective on RFID

Retail Excellence Ireland - Cyber Threats 2015 Overview
Retail Excellence Ireland - Cyber Threats 2015 OverviewRetail Excellence Ireland - Cyber Threats 2015 Overview
Retail Excellence Ireland - Cyber Threats 2015 OverviewOCTF Industry Engagement
 
Data protection by design and by default on the blockchain
Data protection by design and by default on the blockchainData protection by design and by default on the blockchain
Data protection by design and by default on the blockchainAlexandra Giannopoulou
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudUlf Mattsson
 
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QAQA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QAQAFest
 
Unit 6 Privacy technological impacts.ppt
Unit 6 Privacy technological impacts.pptUnit 6 Privacy technological impacts.ppt
Unit 6 Privacy technological impacts.pptYäsh Chaudhary
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better CybersecurityShawn Tuma
 
The EU Data Protection Regulation - what you need to know
The EU Data Protection Regulation - what you need to knowThe EU Data Protection Regulation - what you need to know
The EU Data Protection Regulation - what you need to knowSophos Benelux
 
Network Security
Network SecurityNetwork Security
Network SecurityManoj Singh
 
The Internet of Things
The Internet of ThingsThe Internet of Things
The Internet of ThingsAnh-Dung LE
 
Privacy for tech startups
Privacy for tech startups Privacy for tech startups
Privacy for tech startups Marc Gallardo
 
Ravi i ot-security
Ravi i ot-securityRavi i ot-security
Ravi i ot-securityskumartarget
 
Presentation on Information Privacy
Presentation on Information PrivacyPresentation on Information Privacy
Presentation on Information PrivacyPerry Slack
 
Lecture 7---Security (1).pdf
Lecture 7---Security (1).pdfLecture 7---Security (1).pdf
Lecture 7---Security (1).pdfZeeshanMajeed15
 
e-SIDES workshop at EBDVF 2018, Vienna 14/11/2018
e-SIDES workshop at EBDVF 2018, Vienna 14/11/2018 e-SIDES workshop at EBDVF 2018, Vienna 14/11/2018
e-SIDES workshop at EBDVF 2018, Vienna 14/11/2018 e-SIDES.eu
 

Ähnlich wie A balanced perspective on RFID (20)

Cyber Threat Overview for Euro IT counsel
Cyber Threat Overview for Euro IT counselCyber Threat Overview for Euro IT counsel
Cyber Threat Overview for Euro IT counsel
 
Tradesecrets
TradesecretsTradesecrets
Tradesecrets
 
File000154
File000154File000154
File000154
 
Christopher Biedermann, EmiTel Ltd: Cybersecurity and the Internet of Things
Christopher Biedermann, EmiTel Ltd: Cybersecurity and the Internet of ThingsChristopher Biedermann, EmiTel Ltd: Cybersecurity and the Internet of Things
Christopher Biedermann, EmiTel Ltd: Cybersecurity and the Internet of Things
 
Krishna kumar singh
Krishna kumar singhKrishna kumar singh
Krishna kumar singh
 
Retail Excellence Ireland - Cyber Threats 2015 Overview
Retail Excellence Ireland - Cyber Threats 2015 OverviewRetail Excellence Ireland - Cyber Threats 2015 Overview
Retail Excellence Ireland - Cyber Threats 2015 Overview
 
(Spring 2012) RFID and Security Vulnerabilities
(Spring 2012) RFID and Security Vulnerabilities(Spring 2012) RFID and Security Vulnerabilities
(Spring 2012) RFID and Security Vulnerabilities
 
Data protection by design and by default on the blockchain
Data protection by design and by default on the blockchainData protection by design and by default on the blockchain
Data protection by design and by default on the blockchain
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloud
 
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QAQA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
 
Unit 6 Privacy technological impacts.ppt
Unit 6 Privacy technological impacts.pptUnit 6 Privacy technological impacts.ppt
Unit 6 Privacy technological impacts.ppt
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better Cybersecurity
 
The EU Data Protection Regulation - what you need to know
The EU Data Protection Regulation - what you need to knowThe EU Data Protection Regulation - what you need to know
The EU Data Protection Regulation - what you need to know
 
Network Security
Network SecurityNetwork Security
Network Security
 
The Internet of Things
The Internet of ThingsThe Internet of Things
The Internet of Things
 
Privacy for tech startups
Privacy for tech startups Privacy for tech startups
Privacy for tech startups
 
Ravi i ot-security
Ravi i ot-securityRavi i ot-security
Ravi i ot-security
 
Presentation on Information Privacy
Presentation on Information PrivacyPresentation on Information Privacy
Presentation on Information Privacy
 
Lecture 7---Security (1).pdf
Lecture 7---Security (1).pdfLecture 7---Security (1).pdf
Lecture 7---Security (1).pdf
 
e-SIDES workshop at EBDVF 2018, Vienna 14/11/2018
e-SIDES workshop at EBDVF 2018, Vienna 14/11/2018 e-SIDES workshop at EBDVF 2018, Vienna 14/11/2018
e-SIDES workshop at EBDVF 2018, Vienna 14/11/2018
 

Kürzlich hochgeladen

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 

Kürzlich hochgeladen (20)

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 

A balanced perspective on RFID

  • 1. Security, RFID and Consumers RFID Security, Theory and Practice mr. dr. Bart Schermer RFID Platform Nederland
  • 2. About me • Secretary RFID Platform Nederland • Privacy specialist at ECP.NL • Partner at Considerati • Assistent professor at the University of Leiden (faculty of law)
  • 4. RFID Nederland “Stimulating the uptake of RFID technology and ensuring its responsible use” • Market initiative • 50 participants • www.rfidnederland.nl • www.watisrfid.nl
  • 5. Business drivers for RFID Realtime insight into business processes increases: •Efficiency •Security •Customer loyalty
  • 6. Why are these similar? Source: ADT Tyco
  • 8. RFID and the Public Opinion
  • 9. RFID vulnerabilities • Skimming / eavesdropping • Weak crypto • Tag reader authentication
  • 10. Security risks • Access to data on the chip (including possible keys) • Access to associated databases • Access to communication between tag and reader • Attack vector for databases (e.g. viruses, SQL injects) • Cloning (!!!!) • Possibility to follow / track trace people
  • 11. “Big Brother is watching you!”
  • 12. Privacy risks • Due to its invisible nature RFID can be used to surreptisiously gather personal data. • Companies can use this information to profile and classify customers • Companies can use this information to follow and track consumers throughout their daily lives • Companies can use invasive Minority Report style advertising
  • 13. The role of privacy • Information is power • (Personal) data is used to profile and classify consumers • Privacy is a means to maintain ‘economic equality’ between companies and consumers • Consumers (should) have a say in the processing of their personal data
  • 14. EU Privacy Law • Data Protection Directive (95/46/EC) • Telecom Privacy Directive (2002/58/EC)
  • 15. EU Privacy Law • Surreptitious gathering of personal data is a violation of the data protection directive (95/46/EC). • Using personal data for other purposes than for which they have been gathered is a violation of the data protection directive • Surreptiously monitoring and following people is a criminal offence (and where not, it should be). • Targeted advertising without prior permission from consumers is a violation of the data protection directive and the Telecom Privacy Directive (2002/58/EC).
  • 16. Example I: OV chipkaart • Mifare Classic (subscriptions etc.) / Mifare Ultralight (day tickets) • Hack Plotz & Nohl (reverse engineering -> skimming -> cloning) • Hack Radboud I (Mifare Ultralight) (skimming -> cloning) • Dutch Data Protection Authority warns GVB, NS • Hack Radboud II (Mifare Classic) (cryptoanalysis -> skimming -> cloning) • Press coverage differs from the facts • NXP (wrongfully) bashed for providing insecure chip • Security through obscurity worked for 13 years... See also: https://ovchip.cs.ru.nl/Event_history
  • 19. Incident driven response... • Consumer backlash (boycott) against technology • Motion to cancel the OV chipkaart • EU Recommendation on RFID & Privacy: - Mandatory privacy impact assesment - Opt-in for retail environment
  • 20. Observations • Emphasis on technology instead of application • Security issues and privacy issues are often confused • Business reality can differ from security reality - security through obscurity may make sense for a business - cost/risk analysis is leading, not 100% security • Solutions are currently viewed as either/or (e.g. opt-in for retail) • There is no integrated approach towards security and privacy
  • 21. The right tool for the job • 100% security is not always the most optimal economic decision • RFID should not be the only security measure • Focus on the problem, not the technology • What tool is most effective
  • 22. Suggestions • Clear(er) distinction between privacy and security - strengthen overall system security - create tools to enhance privacy (Privacy by design, PETs) - create tools to effectuate legal safeguards (consumer in control) • Security experts must educate businesses, consumers, policymakers and politicians (in English please) • Security, business processes, and legal safeguards must strengthen each other
  • 23. The way forward Companies should: • Use RFID in a responsible manner • Provide benefits not only to themselves, but also to consumers • Provide openness and transparency about the use of RFID • Provide a truly free choice for consumers Government should: • Create tools for the protection of privacy (PETs, RFID guardians, logo system) • Place the consumer in control • Monitor possible shifts in the balance of power, and correct where necessary Security experts and researchers should: • Try to translate their work in proper English (e.g. Jip and Janneke) • ...Keep up the good work
  • 24. Bart Schermer ECP.NL / RFID Platform Nederland Overgoo 11 2260 AG Leidschendam 070-4190309 bart.schermer@ecp.nl “RFID zal een grotere impact op onze samenleving hebben dan Internet heeft gehad” -- Prof. Cor Molenaar, voorzitter RFID Nederland Questions?